The Forrester Wave™: Cybersecurity Risk Ratings Platforms, Q2 2024
All of France’s Top 100 Companies Exposed to Supply Chain Breaches
News summary
- 98% of companies have a breached entity in their third-party ecosystem
- 100% have a breached party in their fourth-party ecosystem
- 7% of companies reported a breach in the last year
- Only 14% of companies with over $100 Billion market capitalisation have a C rating or below.
Paris, France – 26th March 2024 – SecurityScorecard today released a comprehensive analysis of the cybersecurity landscape of the 100 largest companies in France. SecurityScorecard uncovered that 98% of these French companies have a third-party vendor that reported a breach. In comparison, 100% have a relationship with a fourth-party vendor that reported a breach in the past 12 months.
The new research spotlights why the strength of a company’s cybersecurity is directly linked to the security measures of even its smallest vendor. SecurityScorecard threat hunters and data scientists used the world’s largest proprietary risk and threat intelligence dataset to analyse supply chain breaches across France’s 100 largest companies. As third-party breaches, such as MOVEit, dominate breach notifications, understanding the organizations in a supply chain and critical dependencies is essential to reducing risk.
Key findings:
- Supply chain cyber risk: 98% have a breached entity in their third-party ecosystem
France has the highest rate of third- and fourth-party vendor breaches compared to the UK, Germany, and Italy. Additionally, 100% of France’s top companies have a fourth-party vendor that has reported a breach in the last year. SecurityScorecard analysis reveals that supply chain attacks were dominated by one threat actor, the Clop (aka Cl0p) ransomware group.
- Market capitalisation linked to cybersecurity: Only 14% of companies with over $100 billion in market capitalisation have a C rating or below
Companies with higher market capitalisation demonstrated stronger cybersecurity. For example, only 29% of companies with $100 billion to $50 billion market capitalisation had a C rating or below.
- Sector variation: 79% of the Services sector had a C rating or below compared to 29% of the Energy sector
Industry nuances play a key role in shaping the threat landscape. 50% of healthcare companies in France have a C rating or below. Meanwhile, 33% of financial companies have a C rating or below. These two sectors have more numerous, diverse, and specialized third-party relationships that enable third-party breaches. To put it simply: they have more third-party risk because they have more third parties.
- High-risk companies: 40% of companies have a C rating or below
An organization with a C rating has a breach likelihood of 5.4x compared to those with an A rating. The companies deemed high-risk should focus on enhancing application and network security, with particular attention to DNS Health, Endpoint Security, and Patching Cadence.
- Low cybersecurity resilience: Only 60% of France’s top 100 have an A or B score.
Only 21% of companies have an A cybersecurity rating and have not reported a breach for a year. This group consists primarily of energy and financial firms. Cybersecurity resilience is inextricably linked to trust. Organizations’ ability to thwart and rebound from cyberattacks directly influences economic confidence.
A new era of cyber risk management
Just as credit ratings provide a clear and standardized measure of financial credibility, cyber risk ratings can offer a similar benchmark for cybersecurity resilience. The availability of objective data on cybersecurity resilience gives business and government leaders a new language for cyber risk management that permits them to be relentlessly data-driven.
Nadji Raib, Senior Director of Southern Europe and Middle East, said:
“It is clear that the companies represented in this report would benefit from making third-party risk management an integral component of not only their security program but of their vendor selection process as well.
France is already leading the way in cybersecurity in Europe, but these businesses and organisations need to do more now if they are going to be ready for the implementation of DORA [Digital Operational Resilience Act] by January 2025.
SecurityScorecard’s platform facilitates and enhances this effort, providing ratings to evaluate prospective vendors, monitor existing vendors, and hold them accountable.“
Methodology
Our analysis of the top 100 companies in France by market capitalisation shows areas for improvement. This report examined companies in the following sectors: energy, healthcare, finance, manufacturing, transportation, utilities, and technology. The report covers 13 March 2023 to 13th March 2024.
A dynamic threat landscape requires real-time risk assessment. SecurityScorecard gathers significant amounts of non-intrusive data on the cybersecurity performance of companies worldwide. Using this data, SecurityScorecard calculates an overall score, graded A through F, based on ten factors that are predictive of a security breach. Validation of SecurityScorecard scores using statistical analysis demonstrates that companies with an F rating have a 13.8x greater likelihood of a data breach than companies with an A.
For more in-depth information and access to the France top 100 report, please visit: https://securityscorecard.com/research/the-cybersecurity-of-frances-top-100-companies/
About SecurityScorecard
Funded by world-class investors, including Evolution Equity Partners, Silver Lake Partners, Sequoia Capital, GV, Riverwood Capital, and others, SecurityScorecard is the global leader in cybersecurity ratings, response, and resilience, with more than 12 million companies continuously rated.
Founded in 2013 by security and risk experts Dr. Aleksandr Yampolskiy and Sam Kassoumeh, SecurityScorecard’s patented rating technology is used by over 25,000 organizations for enterprise risk management, third-party risk management, board reporting, due diligence, cyber insurance underwriting, and regulatory oversight.
SecurityScorecard makes the world safer by transforming how companies understand, improve, and communicate cybersecurity risks to their boards, employees, and vendors. SecurityScorecard achieved the Federal Risk and Authorization Management Program (FedRAMP) Ready designation, highlighting the company’s robust security standards to protect customer information, and is listed as a free cyber tool and service by the U.S. Cybersecurity & Infrastructure Security Agency (CISA). Every organization has the universal right to its trusted and transparent Instant SecurityScorecard rating. For more information, visit securityscorecard.com or connect with us on LinkedIn.
Media Contact
Charlie Simon
SecurityScorecard